On Thu, Feb 25, 2010 at 01:19:54PM +0100, Daniel Veillard wrote:
> On Wed, Feb 24, 2010 at 03:51:45PM -0500, Cole Robinson wrote:
> > Hi guys,
> >
> > Looking at the new FS pool build options and talking with Dave, I see that
> > calling PoolBuild on an FS pool now unconditionally calls mkfs. This is really
> > bad when mixed with virt-manager: previously, we assumed the FS build command
> > was always non destructive (at most it created a directory), so we called it
> > every time, and didn't even allow users to opt out, since there wasn't a use
> > case that called for it.
> >
> > This new formatting behavior really needs to be opt in, otherwise all
> > virt-manager versions creating an FS pool can destroy data.
> >
> > Just FYI, for disk pools (and certain LVM configurations) where this operation
> > has always been destructive, we default to build=off, and loudly warn the user
> > if they choose otherwise. We can do that with this new option as well, but the
> > previous behavior really needs to be reinstated IMO (and before the new release).
> >
> > I fully accept that this could be a bug in virt-manager's assumptions of the
> > build command, but even consider a virsh user: previously build just created a
> > directory, now it formats a partition, without any XML change.
>
> I was initially reluctant of changing the behaviour, and asked to use a
> flag to keep the original default semantic. I got convinced that noone
> could rely on it because the function was basically incomplete. But since
> virt-manager ships with an expectation on the previous behaviour, I
> revert my position, we need to add a _FORMAT = 4 flag for this call and
> only call mkfs if that flag is passed. Fix is trivial we should not
> push 0.7.7 without it,
I really don't want to add an extra flag, because it makes filesystem
pool a special case. The 'build' operation is intentionally destructive
by its very definition, and virt-mnager should never be expecting it to
be safe to call on specific pool types.
IMHO, we should do two things to address this
- Fix virt-manager to not call build all the time for any pool
type - it must only do it when expkicitly requested
- Make the 'build' operation check to see if the pool is
already constructed (eg LVM magic check for logical pools,
FAT partition check for disk ools & filesystem magic check
for the fs pool). Reject the build operation if any of these
show that the pool exists / is alread ybuilt
- Add a 'OVERWRITE' flag, to allow apps to forcably reformat,
regardless of current state
This will let us keep consistent semantics for all pool types, while still
protecting against broken apps like virt-manager which are blindly calling
build when they shouldn't.
Daniel
--
|: Red Hat, Engineering, London -o- http://people.redhat.com/berrange/ :|
|: http://libvirt.org -o- http://virt-manager.org -o- http://deltacloud.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: GnuPG: 7D3B9505 -o- F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :|